Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where does forwarded data exist if the index mentioned in my inputs.conf monitor stanza was not created?

snehal8
Path Finder
‎01-29-2015 02:44 AM

Hello Everyone,

I have created an inputs.conf file for deploying an app in host machine to forward data. 

[monitor:///xxxxxx]
index=a
disabled=false
sourcetype=Test

but have created an index called b and by mistake, in the inputs.conf file mentioned a, so data is came in splunk with this index but not getting where is exactly store.

Where exactly is the data sent in this scenario? How can I resolve this?

Thanks.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-29-2015 08:07 PM

If you do not have index A created, and configure and input to send to index A, then when the input sends and the indexers do not have the index, they will drop the events and generate and invalid index error. It will not move them to another index, or put them in _internal. (_internal is internal events for splunk only.)

If you want to move the events from index A to index B, then you need to copy the buckets at the file level. ( $SPLUNK_HOME/var/lib/splunk/** )

The instructions here are pretty straightforward :
http://answers.splunk.com/answers/126422/move-specific-data-from-one-index-to-another-index.html

Reply

aakwah
Builder
‎01-29-2015 03:56 AM

If index is not specified data will go to main index, you can get the logs by running

index=main

then specify the source from Fields sidebar then delete the event you want as per the following, but first you need to allow the user you are using to delete:

index=main source=test.gz | delete

Give user permissions to delete, from wen interface, I'll assume you are using admin user:

Settings, Access controls, Users, admin

In Assign to roles part, add can_delete, then save

Regards,
Ahmed

Reply

aakwah
Builder
‎01-30-2015 09:12 AM

Hi @snehal8, if the issue is resolved, please accept an answer to mark this issue as resolved.

Regards,
Ahmed

0 Karma
Reply

lguinn2
Legend
‎10-23-2015 07:00 PM

This only applies if no index has been specified. If the wrong index name was specified, then @esix is correct.

0 Karma
Reply

mzorzi
Splunk Employee
Splunk Employee
‎01-29-2015 03:17 AM

You can search for that data across all time and indexes. If nothing returns the data has not been indexed.

A very generic search is index=_* OR index=*

0 Karma
Reply

snehal8
Path Finder
‎01-29-2015 03:38 AM

Thanks for reply @mzorzi. in search it is not showing , but when i executing this query "index=_internal (host=*xxx* OR host=*xxx*) NOT (series=_* OR series=*summary*) source=*metrics.log group=per_index_thruput earliest=-7d | timechart span=1d sum(eval(kb/1024)) AS "MB indexed" by series" , then its showing index a with amount of data. then if it in "_internal" ? then how to move this data in my actual index b ? please help me on this

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...